Re: throttle traffic by amount of time or amount of used traffic in GB?

Fri, 12 Apr 2013 23:06:30 -0700 

Sebastian Singer <sebastian.sin...@kesslar.de> writes:

> So I do not want to cut him off the internet completely,  just limit
> his bandwidth so much that he is throttled if he has reached a set
> time limit or else if he reaches a certain amount of gb used.
>
> So the question is: is pf (ALTQ especially) able to cope with these
> requirements? And if how would such rules in pf.conf look? I am by far
> no pf guru but have run a OpenBSD SOHO server for about 10 years. So I
> think I do have a basic unterstanding of pf matters.

Most if not all queueing options that come to mind (mostly the hfsc
ones) only operate on a per connection (per state) level, but it's
possible to collect statistics on traffic from a specific IP address,
either via rules with labels (see eg [1] onwards) or if the address is
part of a table, from the statistics collected on table entries, ie do a
pfctl -vt tablename -T show and you'll get something like this per table
entry:

   219.142.91.125
        Cleared:            Mon Apr  1 14:54:30 2013
        In/Block:           [ Packets: 874                Bytes: 51983          
    ]
        In/Pass:            [ Packets: 0                  Bytes: 0              
    ]
        Out/Block:          [ Packets: 0                  Bytes: 0              
    ]
        Out/Pass:           [ Packets: 0                  Bytes: 0              
    ]

You could then whip up a script that parses either that or pfctl -vsl
output for the labels scenario and if your rules assign traffic to
queues based on membership in tables, have your script shift the source
address to the table whose traffic gets assigned to a smaller bandwidth
queue, and run your script at short intervals from a system crontab.

Or in a 'no online games after 10 PM' or similar scenario, have a
slightly simpler script do the tables shuffling at a specific time
(again assuming you slice your traffic according to table membership).

Off the top of my head, I think those are the most workable options, I
hope this was a tiny bit helpful.

- Peter

[1] http://home.nuug.no/~peter/pf/newest/labelstats.html and also
    covered in The Book of PF (http://nostarch.com/pf2.htm and at 
    better bookstores)

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply via email to